circleci

borkdude 2021-08-25T12:00:40.005100Z

I was following this bit of documentation, but I was fooled by the lower case letter in the environment variable $npm_TOKEN which should probably be capital letters: https://circleci.com/blog/publishing-npm-packages-using-circleci-2-0/

borkdude 2021-08-25T12:02:34.005700Z

I have some trouble building certain jobs only when I pushed a tag:

workflows:
  version: 2
  ci:
    jobs:
      - test:
          filters:
            tags:
              only: /.*/

      - deploy:
          requires:
           - test
          filters:
            tags:
              only: /^v.*/

borkdude 2021-08-25T12:02:49.006100Z

It seems the deploy tag is always running, regardless of a tag or not

borkdude 2021-08-25T12:04:25.006600Z

The example at "Git Tag Job Execution - Deploy on tagged commit" here, also seems wrong: https://circleci.com/blog/publishing-npm-packages-using-circleci-2-0/

borkdude 2021-08-25T12:07:12.007Z

Adding:

branches:
              ignore: /.*/
solved the "always running"

borkdude 2021-08-25T12:07:59.007300Z

but now it seems to not appear anymore in case of a tag... aaaaah

borkdude 2021-08-25T12:11:07.007700Z

ffffffff.... how am I going to test this without making a gazillion useless releases?

borkdude 2021-08-25T12:14:35.008Z

any ideas @lee @rahul080327 @slipset?

lispyclouds 2021-08-25T12:14:38.008200Z

@rahul080327 has joined the channel

borkdude 2021-08-25T12:17:14.008800Z

so what I'm doing, I'm executing this:

bump-version (do (shell "npm version patch")
                   (shell "git push --atomic origin main"
                          (str "v" (:version (json/parse-string (slurp "package.json") true)))))

borkdude 2021-08-25T12:17:30.009100Z

which pushes a new git tag + commit

borkdude 2021-08-25T12:17:54.009700Z

and then circleci should always execute the test job + only the deploy job in case of such a tag

lread 2021-08-25T12:28:46.011400Z

I've been mostly in GitHub Actions these days... Do I remember @slipset generalizing circleci tag based deploy support for clj-commons though?

borkdude 2021-08-25T12:29:07.011800Z

See the top commit: it has no tag, yet the deploy job gets executed 😠

borkdude 2021-08-25T12:29:24.012300Z

This is the config I currently have:

workflows:
  version: 2
  ci:
    jobs:
      - test
      - deploy:
          requires:
           - test
          filters:
            tags:
              only: /^v.*/

lread 2021-08-25T12:37:47.012500Z

annoying!

lread 2021-08-25T12:44:55.013Z

Here is an example @slipset gave some time ago: https://github.com/clj-commons/fs/blob/master/.circleci/config.yml

borkdude 2021-08-25T12:45:34.013400Z

yeah, I've looked at that

borkdude 2021-08-25T12:45:57.013700Z

but I read now that those filters are applied in an OR fashion..

borkdude 2021-08-25T12:46:04.013900Z

it's really confusing me

lread 2021-08-25T12:46:52.014700Z

oh... OR... that seems counter-intuitive to me.

borkdude 2021-08-25T12:46:56.014900Z

I've read several forum entries about this too, it doesn't make sense to me today. Maybe I should just try github actions for this

borkdude 2021-08-25T12:48:07.015200Z

hmmm, it seems this is working now:

workflows:
  ci:
    jobs:
      - test:
          filters:
            tags:
              only: /.*/
      - deploy:
          requires:
           - test
          filters:
            branches:
              ignore: /.*/
            tags:
              only: /^v.*/

gordon 2021-08-26T16:06:07.000100Z

These rules are evaluated top-down to work out if a job should be included or excluded If a tag is pushed: • and the push did not push a branch • and there is a tags: only filter • and the tag matches that filter then the job will be included in the workflow. If a tag is pushed: • and the push did not push a branch • and there is a tags: ignore filter • and the tag does not match that filter then the job will be included in the workflow. If a tag is pushed: • and the push did not push a branch then the job will be removed from the workflow. If a tag is pushed: • and the push also pushed a branch • and there is a branches: only filter • and the branch matches that filter then the job will be included in the workflow. If a tag is pushed: • and the push also pushed a branch • and there is a branches: ignore filter • and the branch name does not match that filter then the job will be included in the workflow If a tag is pushed: • and the push also pushed a branch • and there is a tags: ignore filter • and the tag does not match that filter then the job will be included in the workflow If a tag is pushed: • and the push also pushed a branch then the job will be included in the workflow

lread 2021-08-25T12:49:34.015500Z

I'm not grokking why, are you?

borkdude 2021-08-25T12:49:38.015700Z

no

borkdude 2021-08-25T12:50:19.015800Z

lread 2021-08-25T12:52:58.016900Z

Seems non-obvious to me too. Someone will enlighten us, I'm sure.

borkdude 2021-08-25T12:52:59.017Z

I think I'll just not use any of this filter stuff and just check programmatically what the current tag is

lread 2021-08-25T12:56:36.018400Z

For rewrite-clj on GHA, I took the approach of https://github.com/clj-commons/rewrite-clj/blob/main/doc/04-maintainer-guide.adoc#releasing. Not sure if this concept works for circleci or for your versioning scheme.

borkdude 2021-08-25T12:57:28.019200Z

I'm taking the bb tasks approach here which runs npm version which creates a git tag which is then pushed atomically with the new commit

borkdude 2021-08-25T12:57:44.019700Z

and then CI can inspect whether the current commit related to a tag or not

borkdude 2021-08-25T12:57:50.019900Z

and then deploy or not

lread 2021-08-25T12:58:09.020200Z

ah ok... that sounds good.

borkdude 2021-08-25T12:58:12.020400Z

so anyone who can commit, can trigger a release

lread 2021-08-25T12:59:46.021200Z

Yeah, for rewrite-clj I preferred to restrict release trigger to repo owner.

borkdude 2021-08-25T13:36:42.022100Z

ok, all fixed now using programming instead of config DSL: https://github.com/borkdude/nbb/blob/cc06810b06e703c60ba9751b3cb430407140d469/bb.edn#L60

lread 2021-08-25T13:55:33.022700Z

nice!

glenjamin 2021-08-25T17:29:06.023200Z

Are the credentials available to all branches?

borkdude 2021-08-25T17:37:07.024200Z

@glenjamin the npm credentials? that wasn't the problem, the problem was that the filters didn't work for me, but I figured it out a different way

glenjamin 2021-08-25T17:38:24.026Z

Sorry, I should have been clearer: I was asking for a different reason. have you got it set so that untrusted builds can access those creds? The config file alone isn’t enough to protect credentials

borkdude 2021-08-25T17:38:55.026200Z

no

👍 1
borkdude 2021-08-25T17:39:36.026700Z

you mean the "PRs can access secrets" kind of thing right? No I never do that